ExchangeCve-2021-26855

Windowsv1

Author: Dennis Reneau

description

Exchange Server Vulnerability *.Compiled Files

paths

4 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: ExchangeCve-2021-26855
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Exchange Server Modified Compiled Files
Collect-Artifact -SourceDir "C:\Windows\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files" -FileMask "Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled" -FolderName "Exchange_Server_Modified_Compiled_Files"

# 2. Exchange Server Modified Compiled Files
Collect-Artifact -SourceDir "C:\inetpub\wwwroot\aspnet_client" -FileMask "Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled" -FolderName "Exchange_Server_Modified_Compiled_Files"

# 3. Exchange Server Modified Compiled Files
Collect-Artifact -SourceDir "C:\inetpub\wwwroot\aspnet_client\system_web" -FileMask "Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled" -FolderName "Exchange_Server_Modified_Compiled_Files"

# 4. Exchange Server Modified Compiled Files
Collect-Artifact -SourceDir "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth" -FileMask "Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled" -FolderName "Exchange_Server_Modified_Compiled_Files"

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

news.sophos.com https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/

notes

Microsoft Exchange CVE-2021-26855

Identified *.compound files are modified XML files associated with malicious dll's.

Query for WebShell IOC's with randomized 8 character names preceding the .compiled file extension.

// description

// paths

// collection commands

// references

// notes

description

paths

collection commands

references

notes